25-Aug-86 23:40:57-PDT,14904;000000000000 Mail-From: NEUMANN created at 25-Aug-86 23:38:50 Date: Mon 25 Aug 86 23:38:50-PDT From: RISKS FORUM (Peter G. Neumann -- Coordinator) Subject: RISKS-3.42 Sender: NEUMANN@CSL.SRI.COM To: RISKS-LIST@CSL.SRI.COM RISKS-LIST: RISKS-FORUM Digest, Monday, 25 August 1986 Volume 3 : Issue 42 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Re: $1 million bogus bank deposit (Barry Shein) Sometimes things go right (Matt Bishop) Re: Cheating of automatic teller machines (Dave Farber) Keystroke Analysis for Authentication (rclex) Computer Vote Counting In the News -- More (John Woods) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM) (Back issues Vol i Issue j available in CSL.SRI.COM:RISKS-i.j. Summary Contents in MAXj for each i; Vol 1: RISKS-1.46; Vol 2: RISKS-2.57.) ---------------------------------------------------------------------- Date: Sat, 23 Aug 86 20:14:53 EDT From: Barry Shein To: RISKS@CSL.SRI.COM Subject: Re: $1 million bogus bank deposit > "We are now looking very closely at our internal systems. Human >error may also be involved," Kunowski said. There's that term "human error" again. Note Chernobyl, TMI, etc. They also seemed to like to speak of "human error". Is this a new form of excuse? Is it supposed to have PR value? What else? Alien-life-form error? Supernatural error? I know most of you agree with me, and this is essentially trite. I am just starting to sensitize badly to this techno-speak. -Barry Shein, Boston University [I have commented on this on various occasions. Many of the problems that we find are deeper sorts of "human error" -- the requirements are established badly (the DIVAD?), the design is flawed (Challenger booster rockets), the implementation is faulty (the first Shuttle launch), the patch was put in wrong (Viking), the system permits operation in an unsafe mode (Sheffield), etc. Those are clearly human errors, but they get treated in the opposite way -- not treated as human errors, but rather disanthropomorphized as "computer errors"! What you are saying is both essentially trite and very deep, both at the same time. PGN] ------------------------------ From: Matt Bishop To: risks@csl.sri.com Subject: Sometimes things go right Date: Mon, 25 Aug 86 08:19:14 -0700 All these letters about ATM's being outsmarted reminds me of an incident where someone gambled on the inability of a bank to change the programming for managing ATM's, and lost. This incident is described in Donn Parker's book on computer crime, which I seem to have left at home (so I can't give a reference), and it's interesting because it shows the risks in assuming things can't be done quickly. In Japan, someone kidnapped a little girl, and told her father to open an account at a bank which had ATM's throughout Tokyo, and put the ransom in that account. He was then to indicate the account number and password (in the newspaper via what Sherlock Holmes would call the agony column, I guess). The kidnapper would then withdraw the money from one of the ATMs. He figured there weren't enough police to watch all the ATMs and even if there were, they would have no way of distinguishing him from any of the other patrons who made legitimate withdrawals. Unfortunately for him, when the bank heard about this, they got several programmers together and working all night they changed the program controlling the ATMs to trap any transactions for that particular account, and immediately notify the operators at which ATM the withdrawal was taking place. They then put police at as many ATMs as they could. The father made the deposit, the kidnapper withdrew the money, and before he could get out of the ATM booth the police grabbed him. The girl was recovered safely. The programmers got a medal. The kidnapper went to jail. Kind of nice to know that sometimes things do go wrong for the better! Matt Bishop ------------------------------ To: Jacob_Palme_QZ%QZCOM.MAILNET@mit-multics.ARPA cc: RISKS FORUM Subject: Re: Cheating of automatic teller machines Date: Sat, 23 Aug 86 17:01:38 -0400 From: Dave Farber That's the modern analog to the favorite telephone trick, stuff cotton [or chewing gum] up the coin return, and come back latter to collect the coin returns. (It's harder to do with the new pay phones, but not impossible.) [Yes, many of the current tricks are reincarnations of earlier ones. But, as we get higher-tech, new tricks are emerging as well. PGN] ------------------------------ From: hplabs!caip!harvard!rclex!cdx39!jc@ucbvax.Berkeley.EDU Date: Wed, 20 Aug 86 10:07:37 edt Subject: Keystroke Analysis for Authentication (Re: RISKS-3.31) To: rclex!SRI-CSL.ARPA!RISKS > ... One gray area is checking > the match between credentials and credential-holders: this generally has > to be done by humans unless the credentials are something like retinagrams. Actually, this is easier to automate than most people would guess. A few years back, I saw a demo of one solution, which is as accurate as retinagrams, but is non-invasive. This was the measurement of a "typing profile" as a person typed something (it didn't much matter what) on a keyboard that recorded and reported microsecond-precision timing info on keystrokes. The idea was to make a list of the most common 2-character pairs (th, he, st, se, ...), calculate ratios of the top entries (th/he, he/st, th/st, ...), and normalize by dividing throughout by the mean value of the most common pairs. The resulting histogram turns out to be quite as specific as retinagrams and fingerprints, and even harder to counterfeit. Since then, I've been watching for applications, and have found instead that most people 1) have never heard of it, and 2) don't believe that it works. The people doing the demo weren't very concerned about either of these "problems". After all, only the ones making the decision to install it need know about it; it's better if the subject not know or understand the security system. As for the second point, it doesn't really matter whether the subject believe in it; it works regardless. It's surprising how short a message it works with. Obviously, you need at least 3 characters; it turns out that you don't need more than about 10. Of course, there are failures. But from a security viewpoint, they are in the right direction of labeling a person as "unknown", typically when they are typing irregularly due to fatigue or drugs. The demo system had no sign-on. You just started typing commands; the machine determined for each command who had typed it and whether the person was authorized to do what was asked. In particular, they liked to show an operator's console sitting in a non-secure area. The machine would obey commands typed by authorized operators, but not by anyone else. It was rather cute. A lot of people who tried using it got very nervous looks on their faces. "The machine really does know who I am, doesn't it?" Of course, you couldn't use this approach with just any commercial terminal. How could you get the timing figures out of a VT100, for example? But the data collection is well within the capabilities of the typical intelligent terminal with an 8-bit micro as a controller. I've occasionally wondered whether there are any other non-invasive identification techniques that are anywhere nearly as effective as this one. I haven't heard of any. But then, they might not be very widely advertised if they do exist. I've also wondered about the feasibility of using this a a "user friendliness" feature. Imagine not needing to sign on to a system; you just walk up to any terminal and start typing commands.... ------------------------------ Date: Sat, 23 Aug 86 21:13:24 EDT From: jfw@EDDIE.MIT.EDU (John Woods) To: risks@sri-csl.arpa Subject: Computer Vote Counting In the News [SOME NEW STUFF, SOME OLD] [SEE SUMMARY OF EVA WASKELL'S EARLIER TALK BY RON NEWMAN in RISKS-2.42] Use of computers in elections raises security questions Boston Globe, 23 August 1986, page 17 By Gregory Witcher, Globe Staff The computer programs that will be used to count the votes in elections this fall accross the United States, including a quarter of the votes in Massachusetts, are vulnerable to tampering and fraud, according to computer specialists, researchers, science writers and attorneys. Although no case of computer fraud has been proved, specialists say a large potential exists because of the lack of mandatory federal or state security guidelines to prevent it. In addition, they say, there are no independent means of auditing programs to verify they are working properly and most local election officials lack the computer skills necessary to detect if computer programs are secretly altered. "It's like a black box," says Eva Waskell, a Reston, Va., science writer who helped organize a recent two-day conference at Boston University on the potential of computer fraud in voting. "Election officials have no hard data to back their claims that these vote-counting programs are counting accurately." Sixty-five percent of the votes cast by Americans in the 1984 presidential election were tabulated by computer systems, according to the Federal Election Commission. In next month's Massachusetts primary, computer programs will be used to tally the votes in 26 percent of the state's 351 election precincts, the Secretary of State's office says. Four of every five of those votes will be tallied by a vote-counting program that has been challenged in cases now pending in state and federal courts in Indiana, West Virginia, and Maryland. In Indiana and West Virginia, the company was accused of helping to rig elections. The program was developed by Business Records Corp., formerly Computer Election Systems, a Berkeley, Calif., company that federal election officials estimate produces more than half the computer voting equipment used nationwide. Company officials in Berkeley and Chicago could not be reached for comment yesterday. John Cloonan, director of the elections division of the Massachusetts Secretary of State's office, said there have been no instances of computer fraud reported since Massachusetts first began using a computer-assisted voting system in 1967. Computerized voting is now used in Massachusetts jurisdictions ranging in size from Worcester, the state's second largest city with about 80,000 registered voters, to Avon, where there are 3,000 registered voters, Cloonan said. Voters in Boston and in one-third of all Massachusetts communities cast their ballots on mechanical lever-type machines. The remaining cities and towns use paper ballots. According to David Stutsman, who participated in the two-day seminar at BU, a recount of the votes cast in Elkhart County, Ind., in November 1982 showed that the computer program had improperly printed the results of one race in another, failed to count all the votes for one candidate and counted 250 more votes than there were voters in a third race. Stutsman is an attorney representing eight candidates who challenged the election results in lawsuits alleging that the vote counting was "false and fraudulent." Stutsman contended that a computer programmer from the company changed the computer program's instructions on election night, but without a system to record changes made in the pgram and without election officials knowledgable about how the program worked, "it was impossible to say how the votes were counted and whether they were counted accurately or not." In another case presented at the conference, a review of 1984 election results showed that President Reagan received 159 votes in the Trinity River Bottom precinct, defeating challenger Walter Mondale by a 3 to 1 margin in the Texas district inhabited only by squirrels, rabbits and fish. "The computer invented those numbers. The numbers could not have gone into the program but they came out," said Terry Elkins, a political researcher in Dallas who studied the election results. "No one lives there, so the fish must have voted." Despite reports like these, others remain confident that computer voting is not terribly vulnerable to fraud or error. "The smoke far outweighs the fires," William Kimberling, a federal elections administrator in Washington, said. Kimberling said that none of the allegations of fraud raised in the legal challenges has been upheld in court. ------------------------------ End of RISKS-FORUM Digest ************************ 25-Aug-86 12:38:36-PDT,1558;000000000005 Return-Path: Received: from XX.LCS.MIT.EDU by CSL.SRI.COM with TCP; Mon 25 Aug 86 12:38:32-PDT Date: Mon, 25 Aug 1986 15:08 EDT Message-ID: From: LIN@XX.LCS.MIT.EDU To: mikemcl@NRL-CSR.ARPA (Mike McLaughlin) Cc: risks@CSL.SRI.COM, arms-d@XX.LCS.MIT.EDU Subject: Words, words, words... In-reply-to: Msg of 3 May 1986 13:06-EDT from mikemcl at nrl-csr (Mike McLaughlin) The point is that a person who believes something, however erroneously, and espouses and publicly supports that belief, is *not* lying. These are complex times. There are many matters about which reasonable persons, even reasonable scientists, may differ. There is no point in saying that a person lied when that person was doing the best work possible based on the knowledge and belief available at the time. I'd like to believe this, but I think you leave out a major category -- how are we to classify what could be called "deliberate ignorance"? That is probably the most charitable label that one could give to the call for SDI -- a system that will eliminate the threat of nuclear ballistic missiles. Some people (some of them on RISKS) have called such statements merely "political rhetoric". But when the call is for defense of the entire population, and NO ONE in the scientific community believes that it is possible to frustrate a deliberate Soviet attack on the U.S. population, isn't that either lying (at worst) or deliberate dumbness at best? -------